DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
	Claims 1-23 are pending and herein considered.

Drawings Objections
The drawings are objected to because the unlabeled rectangular box(es) shown in Figure(s) 1A-1C and 2 should be provided with descriptive text labels.  While not every feature need be labeled, sufficient labels should be provided to orient the reader to what is being depicted.  Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. The figure or figure number of an amended drawing should not be labeled as “amended.” If a drawing figure is to be canceled, the appropriate figure must be removed from the replacement sheet, and where necessary, the remaining figures must be renumbered and appropriate changes made to the brief description of the several views of the drawings for consistency. Additional replacement sheets may be necessary to show the renumbering of the remaining figures. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the 
	
Claim Objections
	Claims 2-7 are objected for minor informalities. Said claims should read:
The[[A]] method of claim 1…
Claims 9-20 are objected for minor informalities. Said claims should read:
The[[A]] system of claim 8…
Claims amendment ids required.

Claim Rejections - 35 USC § 101
Claim 21 is rejected under 35 U.S.C. 101 as being directed at non-statutory subject matter. Computer program product recited by claim 21 lacks a definition. Moreover, the Specification (e.g. par. 10, 53) describes the computer program product as “comprising computer-readable tamper detection code” (i.e. software), that is “Optionally… stored on a non-transitory storage medium”. Hence, the computer program product may be a transitory signal. However, a “signal per se does not fit any of the 4 statutory categories of patent eligible subject matter”. See In re Nuijten 500 F.3d 1346.  To overcome the 101 rejection, it is suggested that applicant amend the claims by adding the feature recited by claim 22 to claim 21.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-5, 7-12, 15-17 and 19-23 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Christodorescu et al. US 2016/0253497 A1 (hereinafter Christodorescu).  
Regarding claim 1, Christodorescu substantially discloses:
A method for detection of tampering in an executable code comprising one or more code blocks, comprising (Methods apparatuses, system, and computer readable medium for “detecting return oriented programming attacks” caused by tampering with executable code stacks to modify control-flow transitions (from one code block to another code block) “e.g., jumps, calls, returns, etc.” (Christodorescu: e.g. par. 1-2, 36, 56, 133; Fig. 1, 7), wherein the system includes monitoring code and code for determining/ identifying a ROP attack, both reading on tamper detection code (Christodorescu: par. 109-113; Fig. 10)):
- monitoring execution of the executable code with a call stack data structure associated therewith, the execution involving accessing one or more address spaces (Static and/or dynamic analysis of program code (tamper detection code) determines the instructions of the program, and generates an inter-procedural control flow graph (CFG), the graph having nodes representing instructions and “edges” (arrows) that represent the control flow transitions “between the [nodes] instructions” due to e.g., call stack data structure) indicates memory locations (addresses) to be monitored/intercepted, and the order in which the memory locations are accessed during program execution (e.g. MR0-MR7 in Fig. 5); during program execution, code accesses to the memory regions are monitored and intercepted (held/released) in accordance with the memory traversal map, which indicates (sets) memory addresses to be monitored/intercepted (Christodorescu: e.g. par. 28-34, 56-62, 92-96, 109-111, 115; Fig. 4-7, 10), to analyze and detect anomalies/attacks, and to apply security countermeasures against detected attacks (Christodorescu: e.g. par. 28-34, 112-114; Fig. 10));
- receiving information about the one or more address spaces, as accessed (“In block 1004, the computing device may retrieve the memory address specified by a memory access request to the memories of the computing device (Christodorescu: par. 110; Fig. 10), where the monitoring of memory accesses is performed in accordance with the memory map, as outlined above);
- comparing the received information about one or more accessed address spaces with information about one or more allowed address spaces defined in the call stack data structure of the executable code (“In determination block 1008, the computing device may determine whether a memory address of a memory access request matches a next memory address of the memory traversal map to determine whether the memory address and the next memory address match” (Christodorescu: par. 112; Fig. 10));
- raising a flag upon detection that the one or more accessed address spaces are different from the one or more allowed address spaces, based on the comparison (“In response to determining that the memory address of the memory access request does not match the next memory address of the memory traversal map (i.e., determination block 1008="No"), the computing device may determine whether the mismatch of the memory address and the next memory address(es) is indicative of an ROP attack in determination block 1010” (Christodorescu: par. 113, Fig. 10). “In response to determining that the mismatch of the memory address and the next memory address(es) is indicative of an ROP attack…the computing device may trigger a configurable security response in block 710” (Christodorescu: par. 114; Fig. 10), including “raising an [flag] alert” (Christodorescu: par. 35, 100)); and
- executing an action based on the raised flag (In addition to the alert (flag), a configurable security response includes “terminating the program, continue program execution in a sandbox for forensic purposes, attempting to repair program state and continue execution of the program, and/or rolling back the program state (with help of a checkpointing mechanism) and continuing execution of the program” (Christodorescu: par. 35, 100)).
The aforementioned covers all the limitations of claim 1. 

Regarding claims 8 and 21-23, they correspond to claim 1. In addition, Christodorescu discloses the system and computer product/storage medium as outlined for the rejection of claim 1. Therefore, claims 8 and 21-23 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Christodorescu for the reasons outlined above and for the rejection of claim 1.

Regarding claim 2-5, 7, 9-12, 15-17 and 19-20, the rejection of claims 1 and 8 under 35 U.S.C 102(a)(2) is incorporated herein. In addition, Christodorescu discloses:
(2 and 9) Monitoring execution of each of the one or more code blocks of the executable code (Christodorescu: e.g. Fig. 4-5; all memory regions MR0-7 are monitored; and as outlined for the rejection of claim 1).
(3 and 10) Monitoring execution of one or more predetermined code blocks of the executable code (Christodorescu: e.g. par. 61-62, Fig. 4-5; in order to minimize the performance overhead, in one embodiment, the memory traversal map includes “memory regions for the vulnerable sections of the program instructions and ignore less vulnerable sections of the program instructions”).
(4 and 11) Monitoring execution of initial one to three code blocks of the executable code (Christodorescu: Fig. 4-5; memory blocks MR0-MR2).
(5 and 12) Terminating execution of the executable code upon raising the flag (Christodorescu: par. 35, 100; as outlined for the rejection of claim 1).
(7and 19) Adding the flag as a global variable to the executable code (The flag is a global variable as it must be visible/accessible to the countermeasure functions 
(15) The tamper detection code is added in line to the executable code (The code for determining/ identifying a ROP attack (tamper detection code) is executed inline when a memory access request is issued and before the response to the access request is received from the memory (Christodorescu: par. 111-115; Fig. 10)
(16) The tamper detection code is a function called for execution of the executable code (The code for determining/ identifying a ROP attack (tamper detection code) is called when a memory access request “to memory addresses corresponding to memory regions of the memory traversal map for the program” is detected;  (Christodorescu: par. 109; Fig. 10)),
(17) The tamper detection code is a stack pointer function (The tamper detection code determines whether a “mismatch of the memory address and the next memory address(es) is indicative of an ROP attack”, where the memory address is the result of executing “e.g., jumps, calls, returns, etc.” instructions (Christodorescu: par. 56, 113; Fig. 10)).
(20) The executable code is associated with a gaming application (Christodorescu: par. 25, 28; “Aspects include methods and computing devices implementing such methods for detecting ROP attacks” where in one embodiment the computing devices are “gaming controllers”).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

	Claims 6 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Christodorescu in view of Nayshtut et al. US 2019/0354678 A1 (hereinafter Nayshtut).
Regarding claims 6 and 13, the rejection of claims 1 and 8 under 35 U.S.C 102(a)(2) is incorporated herein. Christodorescu does not expressly disclose transmitting information to a server. However, in a related application, Nayshtut discloses that data/information related to a (ROP: par. 3, 7) exploit is “transmitted via a network” to an “endpoint security product 206” hosted by a (distribution) “server 102”, which provides “additional analysis describing the types of exploits affecting different endpoints 104A-F in different physical locations”. The additional analysis, enable the server 102 to send to the endpoints, new exploits detection algorithms or updates to existing detection algorithms to improve the detection of (to better “target”) the analyzed exploits. Furthermore, “from time to time” the server distributes different detection algorithms to make it difficult for attackers to “deploy” exploits (Nayshtut: par. 34, 44; Fig. 1-2). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Christodorescu and Nayshtut at least to implement the server and the associated functionality taught by Nayshtut. One would have done so, at least because of the reasons outlined above (per Nayshtut). Accordingly, the information/data related to a (ROP) exploit is transmitted to a network 
Transmitting to a server arrangement, upon raising the flag, information related to one or more of: - one or more programs modifying the address spaces being accessed for execution of the executable code; - information related to an Internet Protocol (IP) address of a user device employing the executable code; and - information about a user profile associated the user device (Address spaces (MRx), and the IP address from which the information is transmitted over the network, per above).

Claims 14 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Christodorescu in view of Harel et al. US 2018/0349598 A1 (hereinafter Harel).
Regarding claims 14 and 18, the rejection of claim 8 under 35 U.S.C 103 is incorporated herein. Christodorescu does not expressly disclose a checksum function to prevent tampering of the tamper detection code and associated data (recited by claim 18), which effectively causes the executable code to comprise at least one read-only segment (recited by claim 14). However, in a related application, Harel (par. 39) discloses a security policy that includes generating signatures (checksums) for software components, where the signatures “can be used to verify that the code being executed…is authentic and has not been modified/altered/replaced”. ). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Christodorescu and Harel. One would have done so for (tamper detection code), as the integrity of said codes is crucial for correct monitoring and determination of ROP attacks, as outlined for the rejection of claim 1. At least in an alternative embodiment, an additional signature is generated for the memory traversal map, as memory traversal map is an integral part of the tamper detection code, storing the expected sequence of memory regions (MRx), as outlined for the rejection of claim 1. Accordingly, Christodorescu in view of Harel discloses:
(14) The executable code comprises at least one read-only segment containing information related to the one or more allowed address spaces thereof (as outlined above), and wherein the processor is configured to execute the tamper detection code to load the information related to the one or more allowed address spaces from the at least one read-only segment (Christodorescu: e.g. par. 103; Loading a portion (segment) of the memory traversal map). 
(18) The processor is configured to implement a checksum function to prevent tampering of the tamper detection code (as outlined above in view of Harel)

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure.
Thioux et al. US 9,594,912 B1
Tan et al. US 2015/0370560 A1

Communications Inquiry
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ADRIAN STOICA whose telephone number is (571)270-1955.  The examiner can normally be reached on Monday-Friday 9:30-6:00 ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached on 571-272-3804.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.









/SHANTO ABEDIN/Primary Examiner, Art Unit 2494